The information security policy should clearly communicate
the government’s position on the way its computer systems are
to be developed, implemented, managed, used and disposed.
If previous experience or time is not available, the drafting
of the policy can be outsourced and aligned with the vision,
environment, culture and IT infrastructure of the government.
A small information security policy review committee
should be established that comprises, at a minimum, senior
representatives from the most critical departments/ministries
(e.g., defense, justice/legal, health, finance). This committee
should also include representatives from departments that are
critical to the government’s economic and political objectives
(e.g., energy, industry). Even though it is not necessary for all
members of the committee to have a technical background, it
is useful if the representatives have a basic understanding of
IT and its role in government.
Security awareness is an ongoing process that seeks to ensure
that all users are familiar with the information security
policies and best practices that govern the use of IT assets.
It is good practice to establish a process whereby new
employees are made to attend a security awareness training
session as part of their orientation. This can culminate in
an online lab session and a quiz to ensure understanding.
At the end of the initial training and as part of their annual
assessment, all employees should sign a release indicating that
they accept and understand the policies.
Figure 1—ISM Model for Smaller Governments
Performance Measurement (COBIT) and Compliance With Standards